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This  final  report  is  provided  to  satisfy  a  contract  deliverable.  We  summarize  here  our 
results  in  automated  reasoning  under  this  contract.  Many  of  these  words  are  taken  from 
past  reports  to  ONR. 

The  development  of  the  Boyer-Moore  “Nqthm”  theorem  prover  was  supported  in  part 
for  approximately  20  years  by  the  Office  of  Naval  Research.  The  long  range  objective 
of  this  research  has  been  to  enable  programmers  to  produce  software  that  is 
mathematically  proven  to  meet  its  specifications  by  using  mechanical  theorem-proving 
programs  that  check  proofs. 

We  begin  this  report  with  a  section  listing  seme  accomplishments  under  this  contract 
related  to  Nqthm.  In  particular,  the  evolution  of  that  system  culminated  in  the  release  in 
January,  1994,  of  the  final  versions  of  Nqthm  and  Pc-Nqthm;  see  Subsection  1.2  below. 
Included  are  luted  during  this  contract  whose  work  was  supported  during 

our  preceding  ONR  contract. 

The  second  section  pertains  to  the  main  focus  of  this  contract:  A  Computational  Logic 
for  Applicative  Common  Lisp,  or  Acl2,  which  is  a  theorem  proving  system  that  is  the 
successor  to  Nqthm.  The  section  begins  with  some  background  on  Acl2,  with  words 
describing  the  Acl2  project  from  a  time  shortly  before  the  beginning  of  this  contract. 
Much  progress  has  been  made  since  that  time,  which  we  summarize  in  the  second 
section  of  this  report,  deferring  many  more  details  to  an  Appendix. 

The  third  section  lists  publications,  reports,  presentations,  and  awards  and  honors,  as 
drawn  from  previous  ONR  annual  reports.  We  conclude  with  the  Appendix  mentioned 
above. 


1.  Results  outside  Acl2 

1.1  UNITY 

Some  papers  by  David  Goldschlag  on  his  mechanization  of  the  UNITY  logic  using 
Nqthm  appeared  during  this  contract.  They  are  listed  in  Section  3. 

1.2  Nqthm  Release 

In  January,  1994,  We  completed  the  final  released  of  Nqthm  and  Pc-Nqthm,  which  are 
generally  known  as  “Boyer-Moore  theorem  prover”  and  “its  interactive 
enhancement.”  The  systems  are  publicly  available  from  Internet  host  ftp.cli.com  and 
include  many  megabytes  of  proved  theorems. 

The  final  release  of  Nqthm  cleans  up  a  few  details  and,  perhaps  more  importantly, 
includes  an  assemblage  of  many  thousands  of  theorems  successfully  processed  by  the 
system;  similarly  for  Pc-Nqthm.  This  is  a  quantitative  accomplishment  for  which  ONR 
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can  be  proud  (and  has  received  much  credit).  It  seems  clear  that  this  is  the  largest 
collection  of  formal  mathematics  ever  assembled.  We  believe  that  this  massive 
collection  of  theorems  provides  strong  evidence  that  existing  technology  can  be  used  to 
proof  check  mechanically  essentially  anything  that  can  be  proved  by  hand. 

As  an  example,  the  so-called  “CLInc  stack”  of  computing  systems,  which  was  the 
focus  of  an  issue  of  the  Journal  of  Automated  Reasoning,  contains  the  proof  of 
correctness  of  a  compiler  from  a  small  Pascal-like  language;  a  proof  of  correctness  of  an 
assembler  from  that  compiler’s  target  down  to  a  machine  language,  and  a  proof  of 
correctness  of  an  implementation  of  that  machine  language  in  hardware.  A  successor  to 
that  machine  has,  in  fact,  been  fabricated,  and  the  entire  “stack”  proof  has  been  ported 
to  sit  on  that  processor.  TIius,  Nqthm  and  Pc-Nqthm  have  been  used  to  prove  the 
correctness  of  a  high-level  language  on  a  fabricated  processor,  which  may  be  the  single 
greatest  accomplishment  in  mechanized  formal  methods. 

Computational  Logic’s  Technical  Report  75,  available  upon  request,  summarizes  these 
proofs  using  Nqthm  and  Pc-Nqthm.  We  should  also  mention  that  we  have  brought  the 
Nqthm  documentation  up  to  date. 

1.3  Mechanizing  Quantiflcation 

With  ONR  support  in  previous  years,  we  have  created  an  implementation  of  full  first- 
order  quantification  for  Nqthm.  That  facility  is  part  of  Pc-Nqthm. 

In  Computational  Logic  Technical  Report  81,  we  present  an  implementation  of  a 
recognizer  for  quantified  notions  defined  in  Nqthm.  That  is,  we  provide  a  method  for 
checking  that  a  given  function  (defined  without  quantifiers)  does  indeed  represent  a 
quantified  notion.  We  also  present  methods  for  generating  constructively-presented 
functions  that  represent  quantified  notions,  including  definitions  using  only  bounded 
quantifiers. 

We  have  begun  investigation  general  “binding”  mechanisms,  as  described  in  our  1992 
annual  report  to  ONR,  but  have  nothing  further  to  report  at  this  time. 

1.4  An  Application 

We  have  used  Nqthm  to  formally  specify  and  verify  properties  of  a  simple  train  crossing 
gate  system.  This  problem  has  been  suggested  by  Connie  Heitmeyer  of  NRL  as  a 
benchmark  for  evaluating  the  performance  of  specification  tools  and  automated 
reasoning  systems  in  the  area  of  safety-critical  systems.  The  work  has  been  documented 
in  Computational  Logic’s  Technical  Report  93. 
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2.  Acl2 

>Vhy  change  from  Nqthm  to  Acl2? 

Scale  and  Performance.  Nqthm  was  designed  for  smaller  problems  than  we  face 
today.  For  example,  it  is  difficult  for  several  users  to  contribute  to  the  same  project  with 
Nqthm,  because  there  is  no  notion  of  hierarchical  structure  for  “subproofs.” 

Control  and  Flexibility.  Nqthm  is  hard  to  control  and  tailor  to  the  individual  user.  For 
example,  there  is  no  facility  in  Nqthm  for  defining  macros. 

Practicing  What  We  Preach.  Acl2  is  programmed  essentially  in  itself,  and  we  believe 
that  by  forcing  ourselves  to  use  the  programming  environment  that  we  offer  to  others 
and  support  in  our  logic,  we  are  creating  a  really  usable  programming  environment  for 
which  there  is  a  powerful  verifier.  Also,  applicative  programming  holds  a  promise  for 
high  performance  via  parallel  implementations. 

Acl2  addresses  all  of  these  issues  with  considerable  success. 

But  now  le:  us  back  up,  giving  some  perspective  on  the  Acl2  project.  The  following 
subsection  is  excerpted  almost  exactly  from  Boyer  and  Moore’s  contribution  to  the 
Tenth  International  Conference  on  Automated  Deduction,  1990,  where  they  gave  the 
keynote  address.  This  subsection  will  be  followed  by  a  report  on  progress  on  the  items 
listed  in  the  statement  of  work  of  this  contract.  Further  progress  is  alluded  to  in  the  final 
subsection,  with  details  reported  in  the  Appendix. 

2.1  Background  on  Acl2  (essentially  from  CADE-10  keynote  address) 

We  are  currently  constructing  an  entirely  new  version  of  our  proven  The  name  of  the 
new  system  is  A  Computational  Logic  for  Applicative  Common  Lisp,  which  might  be 
abbreviated  as  “ACL  ACL”  but  which  we  abbreviate  as  “Acl2.”  Whereas  Nqthm  has 
been  available  for  some  time,  extensively  documented,  and  widely  used,  Acl2  is  still 
very  much  under  development.  Hence  the  following  remarks  are  somewhat  speculative. 

Instead  of  supporting  “Boyer-Moore  logic”,  which  reflects  an  odd  mixture  of  functions 
vaguely,  but  not  consistently,  related  to  Lisp  1.5  and  Interlisp,  Acl2  directly  supports 
perfectly  and  accurately  (we  hope)  a  large  subset  of  applicative  Common  Lisp.  That  is, 
Ac  12  is  to  applicative  Common  Lisp  what  Nqthm  is  to  the  “Boyer-Moore  logic”,  a 
programmin^theorem  proving  environment  for  an  executable  logic  of  recursive 
functions. 

More  precisely,  we  have  identified  an  applicative  subset  of  Common  Lisp  and 
axiomatized  it,  carefully  following  Steele’s  Common  Lisp:  The  Language.  Because 
arrays,  property  lists,  input/output  and  certain  other  commonly  used  programming 
features  are  not  provided  applicatively  in  Common  Lisp  (i.e.,  they  all  involve  the  notion 
of  explicit  state  changes),  we  axiomatized  applicative  versions  of  these  features.  For 
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example,  when  one  “changes”  an  array  object,  one  gets  a  new  array  object.  However, 
we  gave  these  applicative  functions  very  efficient  implementations  which  are  in 
complete  agreement  with  their  axiomatic  descriptions  but  which  happen  to  execute  at 
near  von  Neumann  speeds  when  used  in  the  normal  von  Neumann  style  (in  which  “old” 
versions  of  a  modified  structure  are  not  accessed).  The  result  is  “applicative  Common 
Lisp”  which  is  also  an  executable  mathematical  logic. 

Like  Nqthm,  the  logic  of  applicative  Common  Lisp  provides  a  definitional  principle  that 
permits  the  sound  extension  of  the  system  via  the  introduction  of  recursive  functions. 
Unlike  Nqthm,  however,  functions  in  applicative  Common  Lisp  may  be  defined  only  on 
a  subset  of  the  universe.  Like  Nqthm,  the  new  logic  provides  the  standard  first  order 
rules  of  inference  and  induction.  However,  the  axioms  are  different  since,  for  example, 
Nqthm  and  Acl2  differ  on  what  (CAR  NIL)  is.  Most  importantly  for  the  current 
purposes,  we  claim  that  all  correct  Common  Lisps  implement  applicative  Common  Lisp 
directly  and  that,  unlike  Nqthm’ s  logic,  applicative  Common  Lisp  is  a  practice 
programming  language. 

Acl2  is  a  theorem  prover  and  programming/proof  environment  for  applicative  Common 
Lisp.  Acl2  includes  all  of  the  functionality  of  Nqthm  (as  understood  in  the  new  setting) 
plus  many  new  features  (e.g.,  congruence-based  rewriting).  The  source  code  for  Acl2 
consists  of  about  1.5  million  characters,  all  but  43,000  of  which  are  in  applicative 
Common  Lisp.  That  is,  97%  of  Acl2  is  written  applicatively  in  the  same  logic  for  which 
Acl2  proves  theorems.  The  3%  of  non-applicative  code  is  entirely  at  the  top-level  of  the 
read-eval-print  user  interface  and  deals  with  reading  user  input,  error  recovery  and 
interrupts.  We  expect  to  implement  read  applicatively  and  limit  the  non-applicative 
part  of  Acl2  to  the  essential  interaction  with  the  underlying  Common  Lisp  host  system. 

Thus,  in  Acl2  as  it  currently  stands,  the  definitional  principle  is  implemented  as  a 
function  in  logic,  including  the  syntax  checkers,  error  handlers,  and  data  base  handlers. 
The  entire  “Boyer-Moore  theorem  prover”  --  as  that  term  is  now  understood  to  mean 
“the  theorem  prover  Boyer  and  Moore  have  written  for  Acl2”  —  is  a  function  in  the 
logic,  including  the  simplifiers,  the  decision  procedures,  the  induction  heuristics,  and  all 
of  the  proof  description  generators. 

The  fact  that  almost  all  of  Acl2  is  written  applicatively  in  the  same  logic  for  which  it  is  a 
theorem  prover  allows  the  Acl2  source  code  to  be  among  the  axioms  in  that  definitional 
extension  of  the  logic.  The  user  of  the  Acl2  system  can  define  functions,  combine  his 
functions  with  those  of  Acl2,  execute  them,  or  prove  things  about  them,  in  a  unified 
setting.  One  need  only  understand  one  language.  Common  Lisp,  to  use  the  “logic”, 
interact  with  the  system,  interface  to  the  system,  or  modify  the  system.  DEFMACRO 
can  be  used  to  extend  the  syntax  of  the  language,  users  can  introduce  their  own  front- 
ends  by  programming  within  the  logic,  and  all  of  the  proof  routines  are  accessible  to 
users  and  have  exceptionally  clear  (indeed,  applicative)  interfaces.  Many  new  avenues 
in  metatheoretic  extensibility  are  waiting  to  be  explored.  We  believe  we  have  taken  a 
major  step  towards  the  goal  of  perhaps  someday  checking  the  soundness  of  most  of  the 
theorem  prover  by  defining  the  theorem  prover  in  a  formalized  logic. 
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At  the  time  of  this  writing,  we  have  completely  recoded  all  of  the  functionality  of 
Nqthm,  but  have  only  begun  experimentation  with  proving  theorems.  However,  our 
preliminary  evidence  is  that  there  will  be  no  substantial  degradation  in  performance, 
even  though  Acl2  is  coded  applicatively. 

2.2  Acl2  Accomplishments 

As  mentioned  above,  the  axiomatic  definition  of  Acl2  is  consistent  with  the  Common 
Lisp  manuals  by  Guy  Steele.  Thus  the  new  logic  is  directly  implemented  by  Lucid, 
Allegro,  Symbolic,  KCL,  etc.,  and  Acl2,  in  turn,  directly  provides  a 
programming/verification  environment  for  those  systems.  Most  stunning  however  is  the 
fact  that  the  new  system  is  written  in  Acl2.  That  is,  it  is  an  applicative  program  in  the 
logic;  this  includes  the  syntax  checking,  simplifiers,  decision  procedures,  io,  error 
handling,  data  base  maintenance,  etc.  The  Acl2  code  is  part  of  the  Acl2  logical  data 
base,  and  hence  the  system  provides  exceptional  logical  coherence,  power,  extensibility 
and  unity.  Early  performance  experiments  indicate  that  Acl2  is  as  fast  as  Nqthm.  We 
believe  Acl2  represents  a  revolutionary  step  forward  in  verification,  programming 
languages,  and  theorem  proving.  In  addition,  Acl2  unites  several  disparate 
communities,  offers  an  extensive  test  bed  for  research  into  parallelism  in  an  applicative 
setting,  and  opens  new  doors  in  both  theorem  proving  and  metatheoretic  extensibility. 
We  have  in  fact  begun  to  think  about  using  Acl2  to  prove  itself  correct  (and  have 
considered  ways  of  avoiding  the  apparent  circularity  of  such  an  approach). 

Let  us  turn  now  to  specific  items  from  the  Statement  of  Work.  We  have  made 
considerable  progress  on  Acl2  since  the  time  of  the  description  relayed  in  Subsection  2.1 
above.  We  should  mention  that  several  contracts  at  Computational  Logic,  Inc.  have 
supported  our  Acl2  work,  and  we  do  not  attempt  to  single  out  which  work  below  was 
due  in  particular  to  ONR  support.  However,  here  we  organize  the  progress  most 
relevant  to  this  contract  according  the  corresponding  items  in  its  Statement  of  Work, 
which  specified  some  directions  in  which  to  concentrate  our  efforts. 

•  Verify  (parts  of)  the  acI2  code. 

We  have  successfully  proved  termination  for  many  of  the  definitions  that  are 
part  of  the  Acl2  system.  We  have  also  proved  that  many  of  those  functions  may 
be  admitted  as  “:gold”  functions,  i.e.,  that  they  are  guaranteed  to  evaluate 
without  error  (except  possibly  for  resource  errors). 

•  Provide  a  richer  mechanism  for  metatheoretic  extensibilty. 

We  have  designed  and  implemented  a  mechanism  for  “conditional 
metalemmas,’’  i.e.,  metalemmas  with  meta-level  hypotheses. 

•  Provide  further  interactive  features  and  begin  verifying  their  correctness. 

We  have  incorporated  a  rich  interactive  capability  into  Acl2,  but  have  not  yet 
begun  on  its  verification. 
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•  Extend  acI2  by  including  more  seemingly  non-applicative  features. 

At  this  point  we  have  not  seen  the  need  to  make  such  extensions.  However,  in 
related  work.  Bishop  Brock  of  CLI  has  prove  a  collection  of  theorems  about  Acl2 
arrays. 

•  Build  a  much  more  useful  arithmetic  reasoning  capability. 

We  have  made  technical  improvements  in  the  linear  arithmetic  reasoning  code 
in  Acl2,  and  have  also  provided  a  mechanism  whereby  the  user  can  specify 
different  algebraic  systems  to  use  in  place  of  rational  number  arithmetic.  This 
mechanism  has  been  used  to  implement  a  capability  for  Acl2  to  emulate  Nqthm. 
When  that  capability  has  been  polished  it  will,  in  turn,  be  very  useful  in  testing 
Acl2,  since  the  Nqthm  examples  containing  perhaps  16,000  definitions  and 
theorems  will  become  usable  for  testing  Acl2.  Finally,  we  should  mention  that  we 
have  accumulated  a  reasonably  large  collection  of  useful,  proved  arithmetic  facts 
(mostly  rewrite  rules,  but  a  few  others  including  three  metalemmas). 

•  Provide  first-order  capabilities. 

Acl2  has  a  mature  method  for  introducing  constrained  functions  that  can 
sometimes  be  used  in  place  of  quantification  for  building  mathematical  models.  If 
we  introduce  traditional  first-order  quantifiers,  the  work  reported  above  in 
Subsection  1.3  should  be  helpful. 

•  Create  a  facility  for  management  of  reusable,  incremental  theories. 

The  Acl2  book  mechanism  is  fully  operational  and  mature.  It  allows  for  the 
development  of  partially  ordered  collections  of  books.  A  book  is  nothing  more 
than  a  file  containing  Acl2  event  forms  (most  commonly,  definitions  and 
theorems).  Note  that  Acl2  supports  compilation  of  books,  which  is  important  for 
efficient  execution. 

•  Exercise  the  system  and  demonstrate  its  capabilities. 

We  have  continually  exercised  the  system,  both  in  processing  its  own 
definitions  and  in  implementing  the  Nqthm  package.  We  have  also  carried  out  an 
experiment  in  non-standard  analysis  with  ONR  support  that  suggests  a  wa''  to 
support  continuous  mathematics  in  Acl2;  we  expect  to  write  that  up  this  year. 
Other  projects  at  CLI  include  definitions  and  theorem:  prc''eH  related  to 
interpreters  for  a  DSP  chip  and  for  subsets  of  Ada  and  C,  as  well  as  what  one 
might  call  a  “verified  VCG  generator’’  for  a  toy  programming  language.  Finally, 
we  have  used  the  system  as  an  efficient  programming  environment  for  a  fast 
OBDD  (ordered  binary  decision  diagram)  algorithm  for  deciding  propositional 
logic  formulas,  and  for  a  1993  compliant  VHDL  parser. 
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2.3  Acl2:  Concluding  Words 

We  continue  to  make  progress  on  Acl2.  Although  we  have  summarized  the  progress 
areas  above  that  relate  most  directly  to  this  contract’s  statement  of  work,  much  more  has 
been  accomplished.  We  have  included  an  appendix  to  this  report  in  order  to  give  some 
flavor  for  what  is  involved  in  the  evolution  of  Acl2. 


3.  Publications,  Reports,  Presentations,  Awards/Honors 

Below  we  list  publications,  reports,  presentations,  and  awards  and  honors  from  the 
annual  reports  filed  under  this  contract. 

3.1  Publications 

•  Response  and  biographical  sketch  in  receipt  by  Boyer  and  Moore  of  the  1991 
AMS  Current  Award  for  Automatic  Theorem  Proving,  in:  ‘  ‘Automatic  Theorem 
Proving  Awards  Presented,”  Notices  of  the  American  Mathematical  Society,  vol. 

38,  no.  5,  pp.  405-410. 

•  Bob  Boyer,  Matt  Kaufmann,  and  J  Strother  Moore,  “The  Boyer-Moore 
Theorem  Prover  and  Its  Interactive  Enhancement,”  submitted  for  publication. 

»  R.  S.  Boyer  and  J  S.  Moore,  ‘‘MJRTY  -  A  Fast  Majority  Vote  Algorithm,”  in 
Robert  S.  Beyer,  editor.  Automated  Reasoning:  Essays  in  Honor  of  Woody 
Bledsoe.  Kiuwer  Academic,  Dordrecht,  The  Netherlands,  1991,  pp.  105-117. 

•  Robert  S.  Coyer,  D.  Goldschlag,  M.  Kaufmann,  and  J  Strother  Moore, 
‘‘Functional  Instantiation  in  First  Order  Logic,”  in  V.  Lifschitz  (editor).  Artificial 
Intelligence  and  lathematical  Theory  of  Computation:  Papers  in  Honor  of  John 
McCarthy.  Academic  Press,  1991.  pp.  7-26. 

•  D.  Goldschlag,  ‘‘A  Mechanical  Formalization  of  Several  Fairness  Notions,”  to 
appear  in  proceedings  of '^DM  ’91,  Amsterdam,  October  1991. 

•  D.  Goldschlag,  ‘‘Mechanically  Verifying  Safety  and  Liveness  Properties  of 
Delay  Insensitive  Circuits,”  in:  proceedings  of  Computer  Aided  Verification 
1991,  Aalborg,  Denmark,  July  1991. 

•  D.  Goldschlag,  ‘‘Mechanically  Verifying  Safety  and  Liveness  Properties  of 
Delay  Insensitive  Circuits,”  in  Computer  Aided  Verification,  K.  G.  Larsen, 

A.  Skou  (editors),  Springer-Verlag  Lecture  Notes  in  Computer  Science  575, 
Berlin,  1992. 

•  D.  Goldschlag,  ‘‘Verifying  Safety  and  Liveness  Properties  of  a  Delay 
Insensitive  FIFO  Circuit  on  the  Boyer-Moore  Prover,”  1991  International 
Workshop  on  Formal  Methods  in  VLSI  Design,  Miami,  January  1991. 

•  M.  Kaufmann,  ‘‘Generalization  in  the  Presence  of  Free  Variables:  a 
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Mechanically-Checked  Correctness  Proof  for  One  Algorithm,”  J.  Automated 
Reasoning,  volume  7,  1991. 

•  Matt  Kaufmann,  “An  Extension  of  the  Boyer-Moore  Theorem  Prover  to 
Support  First-Order  Quantification,”  J.  Automated  Reasoning  9,  December  1992, 
pp. 355-372. 

3.2  Reports 

•  David  M.  Goldschlag,  “Mechanically  Verifying  Concurrent  Programs,” 
Technical  Report  71,  Computational  Logic,  Inc.,  September  1991. 

•  M.  Kaufmann,  “An  informal  discussion  of  issues  in  mechanically-assisted 
reasoning,”  CLI  Internal  Note  242,  September,  1991;  to  appear  in  proceedings  of 
1991  International  Workshop  on  the  HOL  Theorem  Proving  System  and  its 
Applications,  University  of  California,  Davis,  August  27-30,  1991. 

•  Matt  Kaufmann,  “A  Strategy  for  "Constructivizing"  DEPT^I-SK,”  Internal  Note 
250,  Computational  Logic  Inc.,  December  1991. 

•  Matt  Kaufmann,  “Quantification  in  Nqthm:  a  Recognizer  and  Some 
Constructive  Implementations,”  Technical  Report  81,  Computational  Logic  Inc.. 
August  1992. 

•  William  D.  Young,  “Verifying  a  Simple  Real-Time  System  with  Nqthm,” 
Technical  Report  93,  Computational  Logic,  Inc.,  September  1993. 

3.3  Presentations 

•  “Mechanized  Correctness  Proofs  of  Some  M68020  Programs,”  Robert 
S.  Boyer,  Symposium  in  honor  of  John  McCarthy,  Stanford,  California, 
September  1991. 

•  “A  Theorem  Prover  for  a  Computational  Logic,”  Robert  S.  Boyer,  Research 
Institute  for  Mathematical  Sciences  at  the  Univ.  of  Kyoto,  Dec.  12,  1990. 

•  “A  Hardware  Reset  Lemma  and  Its  Proof,”  Matt  Kaufmann,  Japanese- 
American  Workshop  on  Automated  Reasoning,  Argonne  National  Labs,  June 
1991. 

•  Matt  Kaufmann,  IRST,  Trento,  Italy,  June  1991  (invited  guest  for  a  week). 

•  “An  informal  discussion  of  issues  in  mechanically-assisted  reasoning,”  August 
30,  1991  -  a  keynote  address  at  the  1991  International  Workshop  on  the  HOL 
Theorem  Proving  System  and  its  Applications,  University  of  California.  Davis. 

•  Boyer  and  Moore,  acceptance  speech  for  AMS  Prize  for  Current  Achievements 
in  Automatic  Reasoning  in  January,  1991  at  the  .\MS  conference  in  San 
Francisco. 
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•  “A  Mechanical  Formalization  of  Several  Fairness  Notions,”  David  Goldschlag, 
VDM  ’91,  Amsterdam,  October  1991. 

•  “Mechanically  Verifying  Safety  and  Liveness  Properties  of  Delay  Insensitive 
Circuits,”  David  Goldschlag,  Computer  Aided  Verification  1991,  Aalborg, 
Denmark,  July  1991. 

•  “Verifying  Safety  and  Liveness  Properties  of  a  Delay  Insensitive  FIFO  Circuit 
on  the  Boyer-Moore  Prover,”  David  Goldschlag,  1991  International  Workshop  on 
Formal  Methods  in  VLSI  Design,  Miami,  January  1991. 

•  J  Moore,  “The  Role  of  Automated  Reasoning  in  Integrated  System  Verification 
Environments,”  Workshop  on  the  Effective  Use  of  Automated  Reasoning 
Technology  in  System  Development,  April  6-8,  1992,  Naval  Research 
Laboratory. 

•  Matt  Kaufmann,  “Should  We  Begin  a  Standardization  Process  for  Interface 
Logics?”  Workshop  on  the  Effective  Use  of  Automated  Reasoning  Technology 
in  System  Development,  April  6-8,  1992,  Naval  Research  Laboratory. 

•  J  Moore,  “The  Formal  Specification  of  Programs  that  Interact  with  Hostile 
Environments,”  NSA,  July  1992. 

•  J  Moore,  “The  Acl2  Project,”  NSA,  July  1992. 

•  J  Moore,  presentation  on  the  paper  “A  Formal  Model  of  Asynchronous 
Communication  and  Its  Use  in  Mechanically  Verifying  a  Biphase  Mark 
Protocol,”  August,  1992,  NASA  Langley. 

•  Bob  Boyer  and  Yuan  Yu,  “Automated  Correctness  Proofs  of  Machine  Code 
Programs  for  a  Commercial  Microprocessor,”  CADE-11,  Saratoga  Springs,  NY, 
June  1992. 

•  Bob  Boyer,  invited  opening  talk  at  the  Workshop  on  Automation  of  Induction. 
Saratoga  Springs,  June  1992. 

•  Matt  Kaufm,ann,  talk  at  NSA  on  Nqthm  and  Pc-Nqthm,  April  1992. 

•  Bob  Boyer,  Distinguished  Lecturer,  Harvard  University,  December  2,  1992. 

•  Bob  Boyer,  Distinguished  Lecturer,  University  of  Illinois,  Urbana,  Illinois,  April 
26,  1993. 

•  Bob,  Boyer,  Dagstuhl  (Germany)  Seminar  on  Automated  Deduction,  March  9, 
1993. 

•  Bob  Boyer,  Annual  Meeting  of  the  Esprit  Basic  Research  Action  on  Proofs  and 
Types,  Nijmegen,  the  Netherlands,  May  25,  1993. 

•  Bob  Boyer,  German  Institute  for  Artificial  Intelligence  (DFKI),  University  of 
Saarbruecken,  Germany,  June  2,  1993. 

•  Matt  Kaufmann,  “Interactive  Proving  Using  the  Boyer-Moore  Theorem 
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Provers.”  Formal  Methods  in  Software  Engineering:  AUTOMATED 
REASONING,  Workshop  sponsored  by  ARO  and  ONR,  University  of 
Pennsylvania,  Philadelphia,  Pennsylvania,  May  10—11,  1993. 

•  J  Moore,  “Mechanized  Logic  and  Mathematical  Modeling  of  Digital  Systems.” 
Boeing  Formal  Methods  Lecture  Series  Seattle,  Washington,  May  3,  1993. 

•  J  Moore,  “An  Nqthm  Tutorial.”  Boeing  Formal  Methods  Lecture  Series  Seattle, 
Washington,  May  3,  1993. 

•  J  Moore,  “Mathematical  Modeling  of  Digital  Systems.”  Digital  Equipment 
Corporation  Systems  Research  Center,  Palo  Alto,  Cdifornia,  May  4,  1993 

•  J  Moore,  “Packages  in  Acl2.”  Digital  Equipment  Corporation  Systems 
Research  Center,  Palo  Alto,  California,  May  4,  1993. 

3.4  Awards/honors 

The  American  Mathematical  Society  awarded  Boyer  and  Moore  their  Prize  for  Current 
Achievements  in  Automatic  Reasoning  in  January,  1991,  at  the  AMS  conference  in  San 
Francisco.  This  is  a  significant  recognition  of  the  collaboration  by  Boyer  and  Moore 
that  has  been  continuing  since  the  early  70s,  with  substantial  ongoing  support  by  ONR. 
Pages  407-410  of  the  Notices  of  the  American  Mathematical  Society,  vol.  38,  no.  5, 
contains  descriptions  of  NQTHM  and  its  applications,  plus  biographical  remarks  by 
Boyer  and  Moore  about  the  development  of  their  system  and  thanks  to  ONR  and  other 
research  sponsors,  all  in  acknowledgement  of  receipt  of  this  prize. 

Bob  Boyer  was  a  member  of  Organizing  Board  and  Program  Conunittee  of  1993 
Workshop  on  Automated  Induction,  held  in  conjunction  with  AAAI,  July,  1993. 

Bob  Boyer  also  became  a  n'ember  of  the  Organizing  Committee  for  1995  Dagstuhl 
(Germany)  Workshop  on  Automated  Induction. 

Matt  Kaufmann  became  a  member  of  the  CADE- 12  program  committee,  and  co¬ 
organized  a  workshop  at  that  conference. 
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Appendix  A 
Enhancements  to  Acl2 


Here  is  a  list  of  the  improvements  and  changes  made  to  Acl2,  as  advertised  in  its  various 
(internal)  release  notes. 

VERSION  1.2  RELEASE  NOTES 

Hacker  node  has  been  eliminated  and  programming  mode  has  been  added. 

Programming  mode  is  unsoiind  but  does  syntax  checking  and  penalts 
redefinitions  of  names.  See  :doc  load-mode  and  :doc  g-mode. 

The  arguments  to  LO  have  changed.  LO  is  now  much  more  sophisticated. 

See  :DOC  Id. 

For  those  occasions  on  which  you  wish  to  look  at  a  large  list  structure 
that  you  are  afraid  to  print,  try  (walkabout  x  state),  idiere  x  is 
an  Acl2  expression  that  evaluates  to  the  structure  in  question.  I 
am  afraid  there  is  no  documentation  yet,  but  it  is  similar  in  spirit 
to  the  Znterllsp  structure  editor.  You  are  standing  on  an  object  and 
commands  move  you  around  in  it.  E.g.,  1  moves  you  to  its  first  element, 

2  to  its  second,  etc.;  0  moves  you  up  to  its  parent;  nx  and  bk  move 
you  to  its  next  sibling  and  previous  sibling;  pp  prettyprlnts  it; 
q  exits  returning  nil;  >  exits  returning  the  thing  you're  standing  on; 

(■  symb)  assigns  the  thing  you're  standing  on  to  the  state  global 
variable  symb. 

Several  new  bints  have  been  Implemented,  including  :by  and  :do-not. 

The  old  :do-not -generalize  has  been  scrapped  in  favor  of  such  new 
hints  as  :do-not  (generalize  elim) .  :By  lets  you  say  ''this  goal  is 
subsumed  by''  a  given  lemma  Instance.  The  :by  bint  also  lets  you 
say  ''this  goal  can't  be  proved  yet  but  skip  it  and  sea  how  the  rest 
of  the  proof  goes.''  See  :DOC  hints. 
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VERSION  1.3  RELEASE  NOTES 

Progreunmlng  mod*  has  bssn  allminatad.  XnsCaad,  all  functions  have  a 
''color''  which  indicatas  what  can  ba  dona  with  tha  function.  For 
axanpla,  :rad  functions  can  ba  axacutad  but  hava  no  axioms  dascribing 
tham.  Thus,  trad  ftinctions  can  ba  introducad  afcar  passing  a  simpla 
syntactic  chack  and  thay  can  ba  radafinad  without  undoing.  But 
nothing  of  consaguanca  can  ba  provad  about  tham.  At  tha  othar  axtrama 
ara  tgold  functions  which  can  ba  axacutad  and  fdxich  also  hava  passad 
both  tha  tarmination  and  tha  guard  varification  proofs.  Tha  color  of 
a  function  can  ba  spacifiad  with  tha  naw  XAROS  kayword,  tCOLOR,  which, 
if  omittad  dafaults  to  tha  global  satting  of  LO-COLOR.  LD-COLOR 
raplacas  LOAO-MODE.  Satting  TjO-COLOR  to  trad  causas  bahavior  similar 
to  tha  old  tg-moda.  Satting  LD-COLOR  to  tgold  causas  bahavior  similar 
to  tha  old  tv-moda.  It  is  possibla  to  prototypa  your  systam  in  trad 
and  than  convart  trad  functions  to  tblua  individually  by  calling 
varify-tarmination  on  tham.  Thay  can  than  ba  convartad  to  tgold  with 
varify-guards.  This  allows  us  to  undartaka  to  varify  tha  tarmination 
and  guards  of  systam  functions.  Sea  tDOC  color  for  an  introduction  to 
tha  usa  of  colors. 

Typo  proscription  rulas  hava  boon  addad.  Racall  that  in  Ngthm.  soma 
REWRITE  rulas  wars  actually  storod  as  "typa-prascriptions. ' '  Such 
rulas  allow  tha  usar  to  Inform  Ngtbm's  primitiva  typa  mochanism  as  to 
tha  kinds  of  shalls  ratumad  by  a  function.  Earliar  varsions  of  Acl2 
did  not  hava  an  analogous  kind  of  rula  bacausa  Acl2's  typa  mochanism  is 
complicatad  by  guards.  Varsion  1.3  supports  TYPE-PRZSCRlPTZOli  rulas. 

Saa  tDOC  typa-prascription. 

Thraa  mora  naw  rula-classas  implamant  congruanca-basad  rawriting.  It 
is  possibla  to  idantify  a  binary  ralation  as  an  oguivalanca  relation 
(saa  tOOC  oguivalanca),  to  show  that  one  oguivalanca  ralation  rafinas 
another  (sea  iDOC  rafinamant)  and  to  show  that  a  given  oguivalanca 
relation  is  maintained  whan  rawriting  a  given  function  call,  a.g.,  (fn 
...xk...),  by  maintaining  another  oguivalanca  ralation  ^ila  rawriting 
the  kth  argument  (saa  tDOC  congruence).  If  r  has  boon  shown  to  ba  an 
oguivalanca  ralation  and  than  (implies  hyps  (r  (foo  x)  (bar  x) ) )  is 
provad  as  a  t REWRITE  rula,  than  instances  of  (foo  x)  will  ba  replaced 
by  corresponding  instances  of  (bar  x)  provided  the  instance  occurs  in 
a  slot  where  the  maintainanca  of  r-aguivalanca  is  known  to  bo 
sufficient  and  hyps  can  ba  astablishad  as  usual. 

In  Varsion  1.2,  rule-classes  ware  simpla  keywords,  a.g.,  t REWRITE  or  tELIH. 
In  Varsion  1.3,  rula-classas  have  bean  elaborated  to  allow  you  to  specify 
how  tha  theorem  ought  to  ba  used  as  a  rula.  That  is,  tha  naw  rula-classas 
allows  you  to  separata  tha  mathematical  statamant  of  tha  formula  from  its 
interpretation  as  a  rula.  Saa  :DOC  rula-classas. 

Rules  used  to  ba  named  by  symbols,  a.g.,  CAR  cmd  CAR-CONS  ware  the 
names  of  rulas.  Unfortunately,  this  was  asibiguous  bacausa  there  are 
thraa  rules  associated  with  function  symbols t  the  symbolic  definition, 
tha  axacutabla  counterpart,  and  tha  typa-prascription;  many  diffarant 
rulas  might  ba  associated  with  theorems,  depending  on  tha  rula 
classes.  In  Varsion  1.3  rulas  ara  named  by  ''runes"  (which  is  just 
short  hand  for  ' ' rula  names ' ' ) .  Example  runes  ara  ( : DEFINITION  CAR) , 

( .'EXECOTABLB -COUNTERPART  CAR),  and  (:  TYPE-PRESCRIPTION  CAR  .  1). 

Every  rula  addad  by  an  event  has  a  diffarant  name  and  you  can  enable 
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and  diaabla  than  Indapandantly.  Saa  :OOC  runa  and  :DOC  thaorlaa. 

Tha  Idantlty  fvinctlon  FORCE,  of  ona  argumant,  has  baan  addad  and  glvan 
a  spaclal  Intarpratatlon  by  tha  functions  raaponsibla  for  astabllahing 
hypothasas  In  backchalnlng :  Whan  tha  systam  fails  to  astabllsh  soma 
hypothasla  of  tha  fora  (FORCE  tarm) ,  it  aiaply  asauaaa  it  is  trua  and 
goas  on,  dalaylng  until  latar  tha  astabllshaant  of  tarm.  In 
particular,  pushas  a  naw  aubgoal  to  prova  tarm  in  tha  currant  contaxt. 
Whan  that  subgoal  is  attacked,  all  of  tha  rasourcas  of  tha  thaoram 
provar,  not  just  rawritlng,  ara  brought  to  baar.  Thus,  for  axampla, 
if  you  wish  to  prove  tha  rule 
(ZHFLZES  (GOOD-STATEP  a)  (EQUAL  (EXEC  an)  a')) 
and  it  is  your  expectation  that  every  time  EXEC  appears  its  first 
argument  is  a  GCX)D-STATEP  than  you  might  write  tha  rule  as 
(ZHPLZES  (FORCrE  (GOOD-STATEP  a))  (EQUAL  (EXEC  S  n)  S'))> 

This  rule  is  aaaantially  an  unconditional  rewrite  of  (EXEC  an)  to  s' 
that  spawns  tha  naw  goal  (GOOD-STATEP  a).  Sea  :DOC  force.  Because 
you  can  now  specify  Indapandantly  how  a  thaoram  is  used  as  a  rule,  you 
need  not  write  tha  FORCE  in  tha  actual  thaoram  proved.  See 
:DOC  rula-claasas. 

Version  1.3  supports  a  facility  similar  to  Ngthm's  BREAK-LEMHA.  Sea 
:DOC  braak-rawrita.  You  can  install  "monitors''  on  runes  that  will 
causa  interactive  breaks  under  certain  conditions. 

Acl2  also  provides  "wormholes''  which  allow  you  to  write  functions 
that  causa  interaction  with  tha  user  but  which  do  not  raguira  that  you 
have  access  to  STATE.  Sea  :OOC  wormhole. 

Tha  rawritar  now  automatically  backchains  to  stronger  racognixars. 
Thera  is  no  user  hook  to  this  feature  but  it  may  simplify  some  proofs 
with  which  older  versions  of  Acl2  had  trouble.  For  example,  if  the 
rawritar  is  trying  to  prova  (ratlonalp  (foo  a  b  c))  it  is  now  smart 
enough  to  try  lemmas  that  match  with  (intagarp  (foo  a  b  c)). 
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VERSION  1.4  RELEASE  NOTES 

Once  again  LO  only  takes  one  regulred  argument,  as  tbs  blnd-flg  bas 
been  deleted. 

Three  conmands  bave  been  added  In  tbe  spirit  of  :PE.  :PSi  is 
similar  to  :PB  but  it  prints  all  events  witb  tbe  given  name,  ratber 
than  just  tbe  most  recent.  Tbe  command  :Pr  prints  the  corollary 
formula  corresponding  to  a  name  or  rune.  The  command  :PL  (print 
lemmas)  prints  rules  whose  top  function  symbol  is  the  given  name. 

See  :OOC  pel,  :t)0C  pf,  and  iOOC  pi. 

Book  naming  conventions  have  been  changed  somevdiat.  Tbe 
once-re<iulred  .lisp  extension  is  ’^ow  prohibitedl  Directories  are 
supported.  Including  a  notion  of  'connected  book  directory''.  See 
:DOC  book-name.  Also,  the  second  argument  of  certlfy-book  la  now 
optional,  defaulting  to  0. 

Compilation  is  now  supported  inside  tbe  Acl2  loop.  See  :OOC  c. .mp 
and  :OOC  set -compile- f ns. 

The  default  color  is  now  part  of  the  Acl2  world;  see 
:OOC  default-color.  Ld-color  is  no  longer  an  LD  special.  Instead, 
colors  are  events;  see  :DOC  red,  :DOC  pink,  :OOC  blue,  and 
:OOC  gold. 

A  table  exists  for  controlling  whether  Acl2  prints  comments  when  it 
forces  hypotheses  of  rules;  see  :DOC  force- table.  Also,  it  is  now 
possible  to  turn  off  the  forcing  of  assua^tlons  by  disabling  the 
definition  of  force;  see  iDOC  force. 

The  event  defconstant  is  no  longer  supported,  but  a  very  similar 
event,  defconst,  has  been  provided  in  its  place.  See  :DOC  defconst. 

The  event  for  defining  congruence  relations  is  now  defcong 
(formerly,  defcon) . 

Patterns  are  now  allowed  in  : expand  hints.  See  the  documentation 
for  : expand  in  sDOC  hints. 

We  have  iiqproved  tbe  way  we  report  rules  used  by  tbe  simplifier. 

All  runes  of  tbe  same  type  are  reported  together  in  the  running 
commentary  associated  with  each  goal,  so  that  for  example, 
executable  counterparts  are  listed  separately  from  definitions,  and 
rewrite  rules  are  listed  separately  from  linear  rules.  Tbe 
preprocessor  now  mentions  ''simple"  rules;  see  iDOC  slaqpls. 

The  mechanism  for  printing  warning  messages  for  new  rewrite  rules, 
related  to  subsumption,  now  avoids  worrying  about  nonrecurslve 
function  symbols  ^en  those  symbols  are  disabled.  These  messages 
have  also  been  eliminated  for  tbe  case  idiere  tbe  old  rule  is  a 
: definition  rule. 

Backguote  has  been  modified  so  that  it  can  usually  provide 
predictable  results  when  used  on  the  left  side  of  a  rewrite  rule. 

Time  statistics  are  now  printed  even  when  an  event  fails . 
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Tha  Acl2  traca  packaga  haa  baan  modlfiad  so  that  it  prints  using  tha 
valuas  of  tha  Lisp  glohals  *prlnt-laval*  an<s  *prlnt-langth* 
(raspactlvaly) . 

Tahla  has  haan  modifiad  so  that  tha  sclaar  option  lats  you  raplaca 
tha  antlra  tahla  with  ona  that  satlsflas  tha  val  and  kay  guards  (if 
any) ;  saa  : DOC  tahla . 

Wa  hava  ralaxad  tha  translation  rulas  for  tmaasura  hints  to  dafun, 
so  that  tha  tha  saaa  rulas  apply  to  thasa  tanas  that  apply  to  tanas 
in  daftha  avants.  In  particular,  in  tnaasura  hints  mv  is  traatad 
just  lika  list,  and  stata  racalvas  no  spacial  handling. 

Tha  loop-stoppar  tast  has  haan  ralaxad.  Tha  old  tast  raquirad  that 
avary  naw  argumant  ha  strictly  lass  than  tha  corraspondlng  old 
arguaant  in  a  cartain  tann-ordar.  Tha  naw  tast  usas  a  laxlcographlc 
ordar  on  tana  lists  instaad.  For  axaaipla,  considar  tha  following 
rawrlta  rula. 

(agual 

(varlahla-updata  varl 

▼all  (varlahla-updata  ▼ar2  ▼al2  vs)) 
(varlahla-updata  v'r2 

▼al2  (varlahla-updata  varl  vail  vs))) 

This  rula  is  panautativa .  Now  iiaagina  that  wa  want  to  apply  this 
rula  to  tha  tana 

(varlahla-updata  u  y  (varlahla-updata  u  x  vs)). 

Slnca  tha  actual  corraspondlng  to  hoth  varl  and  var2  is  u,  which  is 
not  strictly  lass  than  itsalf  in  tha  tana-ordar,  this  rula  would 
fall  to  ha  appliad  in  this  situation  whan  using  tha  old  tast. 
Howavar,  slnca  tha  pair  (u  x)  is  laxlcographlcally  lass  than  tha 
pair  (u  y)  with  raspact  to  our  tana-ordar,  tha  rula  is  in  fact 
appliad  using  our  naw  tast . 

Hassagas  about  avants  now  contain  a  spaea  aftar  cartain  laft 
paranthasas,  in  ordar  to  assist  amacs  usars.  For  axas^la,  tha  avant 

(dafthm  abc  (aqual  (+  (Ian  x)  0)  (Ian  x) ) ) 

laads  to  a  summary  containing  tha  llna 

Form:  (  DEFTHH  ABC  . . . ) 

and  hanca,  if  you  saarch  bac)cwards  for  "(dafthm  abc",  you  won't 
stop  at  this  massaga. 

Mora  tautology  chacking  is  dona  during  a  proof;  in  fact,  no  goal 
prlntad  to  tha  scraan,  axcapt  for  tha  rasults  of  applying  :DSB  and 
:BY  hints  or  tha  top-laval  goals  from  an  induction  proof,  ara  Imown 
to  Acl2  to  ha  tautologlas. 

Tha  Id-guary-control-allst  may  now  ha  usad  to  supprass  printing  of 
guarlas;  saa  tDOC  Id-guary-control-alist. 
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Warning  aassagaa  are  printed  with  short  summary  strings,  for  axaaqpls 
the  string  ''Use''  In  tba  following  massage. 

Acl2  Warning  [t7sa]  In  OEFTHM:  It  Is  unusual  to  :nSE  an  enabled  :REWRITE 
or  : DEFINITION  rule,  so  you  may  want  to  consider  disabling  FOO. 

At  the  end  of  the  event,  just  before  the  time  Is  printed,  all  such 
■ummary  strings  are  printed  out . 

The  keyword  command  :u  has  bean  Introduced  as  an  abbreviation  for 
:ubt  ioutx.  Printing  of  query  messages  Is  suppressed  by  :u. 

The  keyword  : cheat  Is  no  longer  supported  by  any  event  form. 

Some  Irrelevant  formals  are  detected;  see  :DOC  Irrelevant -formals. 

A  bug  In  the  application  of  metafunctions  was  fixed:  now  If  the 
output  of  a  metafunction  la  equal  to  Its  Input,  the  application  of 
the  mataftmctlon  Is  deemed  unsuccessful  and  the  next  metafunction  Is 
tried. 

An  example  has  been  added  to  :DOC  equivalence  to  suggest  how  to  make 
use  of  equivalence  relations  In  rewriting. 

The  following  Common  Lisp  fimctlons  have  been  added  to  Acl2: 
alpha-char-p,  upper-case-p,  lower-case-p,  char-upcase, 
char-downcase,  strlng-downcase,  strlng-upcase,  and  digit -charp-p. 

A  documentation  section  called  Proof-checker  has  been  added  for  the 
Interactive  facility,  whose  documentation  has  been  slightly 
Improved.  See  In  particular  :DOC  proof -checker,  :DOC  verify,  and 
:DOC  macro-command. 

A  number  of  events  that  had  bean  Inadvertently  disallowed  In  books 
are  now  permitted  In  books.  These  are:  defcong,  defcor,  defequiv, 
def refinement,  defstub,  and  verify-terminatlon. 
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VERSION  1.5  RELEASE  NOTES 

Acl2  now  allows  ''complex  rationale,''  vrtilch  are  complex  numbers  whose  real 
parts  are  rationale  and  whose  imaginary  parts  are  non-zero  rationale.  See 
:DOC  complex. 

A  new  way  of  handling  FORCEd  hypotheses  has  bean  implemented.  Rather  than 
cause  a  case  split  at  the  time  the  FORCE  occurs,  we  complete  the  main  proof 
and  then  embark  on  one  or  more  "forcing  rounds''  in  which  we  try  to  prove 
the  forced  hypotheses.  See  :D0C  forcing-round. 

To  allow  us  to  compare  the  new  handling  of  FORCE  with  the  old.  Version 
l.S  implements  both  and  uses  a  flag  in  STATE  to  determine  which  method  should 
be  used.  Do  (assign  old- style- forcing  t)  if  you  want  FORCE  to  be  handled  as 
it  was  in  Version  1.4.  However,  we  expect  to  eliminate  the  old-style  forcing 
eventually  because  we  think  the  new  style  is  more  effective. 

To  see  the  difference  between  the  two  approaches  to  forcing,  try  proving 
the  associativity  of  append  under  both  settings  of  old-style-forcing.  To 
the  new  behavior  invoke: 

(thm  (Implies  (and  (true-listp  a)  (true-llstp  b) ) 

(equal  (append  (append  a  b)  c) 

( append  a  ( append  b  c ) ) ) ) ) 

Then  (assign  old-style-forcing  t)  and  invoke  the  thm  coimnand  above  again. 

A  new  : cases  hints  allows  proof  by  cases.  See  tDOC  hints. 

Tnclude-book  and  encapsulate  now  restore  the  acl2-f«faul>5 -table 
when  they  complete.  See  :00C  include-book  and  :D0C  encapsulate. 

The  guards  on  many  Acl2  primitives  defined  in  axioms. lisp  have  been  weakened 
to  permit  them  to  be  used  in  accordance  with  lisp  custom  and  tradition. 

It  is  possible  to  attach  heuristic  filters  to  : REWRITE  rules  to  limit 
their  applicability.  See  :DOC  syntaxp. 

A  tutorial  has  been  added;  see  :DOC  tutorial. 

Events  now  print  the  Summary  paragraph  listing  runes  used,  tizM,  etc., 
idiether  they  succeed  or  fail.  The  format  of  the  ''failure  banner'' 
has  been  changed  but  still  has  multiple  asterisks  in  it.  THH  also 
prints  a  Summary,  whether  it  succeeds  or  fails;  but  THH  is  not  an 
event . 

A  new  event  form  skip-proofs  has  bean  added;  see  :D0C  skip-proofs. 

A  user-specific  custooiizatlon  facility  has  bean  added  in  the  form  of  a 
book  that  is  automatically  included,  if  it  exists  on  the  currant 
directory.  See  :DOC  acl2 -customization. 

A  facility  for  conditional  metalemmas  has  been  Implemented;  sea 
:OOC  meta. 

The  acceptable  values  for  Id-sklp-proofsp  have  changed.  In  the  old  version 
(Version  1.4),  a  value  of  t  meant  that  proofs  and  LOCAL  events  are  to  be 
skipped.  In  Version  1.5,  a  value  of  t  means  proofs  (but  not  LOCAL  events) 
are  to  be  skipped.  A  value  of  'include-book  means  proofs  and  LOCAL  evants 
are  to  be  skipped.  There  are  two  other,  more  obscure,  acceptable  values. 

See  :DOC  Id-sklp-proofsp. 
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In  order  to  turn  off  the  forcing  of  assumptions,  one  should  now 
disable  the  : executable-counterpart  of  force  (rather  than  the 
tdeflnltion  of  force,  as  in  the  previous  release);  see  :DOC  force. 

The  macros  eneOsle-forclng  and  disable-forcing  make  it  convenient  to  enable 
or  disable  forcing.  See  :OOC  enable-forcing  and  :DOC  disable-forcing. 

The  new  commands  :pr  and  :prl  print  the  rules  created  by  an  event  or 
command.  See  :D0C  pr  and  ;OOC  prl. 

The  new  history  commands  :puff  and  tpuff*  will  replace  a  conpound  command 
such  as  an  encapsulate  or  include-book  by  the  sequence  of  events  in  it.  That 
is,  they  ''puff  up''  or  ''lift''  the  subevents  of  a  command  to  the  command 
level,  eliminating  the  formerly  superior  command  and  lengthening  the  history. 
This  is  useful  if  you  want  to  ' 'partially  tindo' '  an  encapsulate  or  book  or 
other  compound  command  so  you  can  experiment.  See  :DOC  puff  and  see 
:DOC  puff*. 

Theory  expressions  now  are  allowed  to  use  the  free  variable  WORLD  and 
prohibited  from  using  the  free  variable  STATE.  See  :DOC  theories,  although 
it  is  essentially  the  same  as  before  except  it  mentions  WORLD  instead  of  STATE. 
See  :DOC  world  for  a  discussion  of  the  Ael2  logical  world.  Allowing 
in-theory  events  to  be  state-sensitive  violated  an  Importimt  invariant  about 
how  books  behaved. 

TABLE  keys  and  values  now  are  allowed  to  use  the  free  variable  WORLD 
and  prohibited  from  using  the  free  variable  STATE.  See  the  note  above 
about  theory  expressions  for  some  explanation. 

The  macro  for  minus,  -,  used  to  expand  (-x3)  to  ('fx-3)  and  now  expands  it 
to  (+  -3  x)  Instead.  The  old  macro,  if  used  in  the  left-hand  sides  of 
rewrite  rules,  produced  inapplicable  rules  because  the  constant  occurs  in  the 
second  argument  of  the  but  potential  target  terms  generally  had  the 
constant  in  the  first  argument  position  because  of  the  effect  of 
commit at Ivlty-of - + . 

A  new  class  of  rule,  :Llnear-allas  rules,  allows  one  to  implement 

the  ngthm  package  and  similar  hacks  in  which  a  disabled  function  is 

to  be  known  equivalent  to  an  arithmetic  function.  See  :OOC  linear-alias. 

A  new  class  of  rule,  : BUILT- IN-CLAUSE  rules,  allows  one  to  extend  the  set  of 
clauses  proved  silently  by  DEFUN  during  measure  and  guard  processing.  See 
:DOC  built-in-clauses. 

The  new  command  PCBI  is  like  PCB  but  sketches  the  command  and  than  prints  its 
subsidiary  events  in  full.  Sea  :DC>C  pcbl . 

:REWRITE  class  rules  may  now  specify  the  :LOOP-STOPPER  field.  See 
:DOC  rule-classes  and  :DOC  loop-stopper. 

The  rules  for  how  loop-stoppers  control  parmutatlve  rewrite  rules 
have  bean  changed.  One  effect  of  this  change  is  that  now  when  the 
built-in  commutativity  rules  for  *  are  used,  the  terms  a  and  (-  a) 
are  permuted  into  adjacency.  For  example,  (■•■  A  B  (-  A))  is  now 
normalized  by  the  commutativity  rules  to  (■•’  A  (-  A)  B) ;  in  Version 
1.4,  B  was  considered  syntactically  smaller  than  (-  A)  and  so  (■•■  A  B 
(-  A))  is  considered  to  be  in  normal  form.  Now  it  is  possible  to 
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arrange  for  unary  functions  be  be  considered  ''Invisible''  when  they 
are  used  In  certain  contexts.  By  default,  tinary —  Is  considered 
Invisible  when  Its  application  appears  In  the  argument  list  of 
binary--*'.  Sea  :DOC  loop-stopper  and  :OOC  set-lnvlslble-fns-allst . 

Extensive  documentation  has  been  provided  on  the  topic  of  Acl2's 
''term  ordering.''  See  :OOC  term-order. 

Calls  of  LD  now  default  Id-error-actlon  to  tRSTOKN  rather  than  to  the  current 
setting. 

The  command  descriptor  :x  has  been  Introduced  and  Is  synonymous  with 
:max,  the  most  recently  executed  command.  History  commands  such  as 
:pbt  print  a  :x  beside  the  moat  recent  command,  simply  to  Indicate  that 
It  IS  the  most  recant  one. 

The  command  descriptor  :x-23  Is  synonymous  with  (:X  -23).  More  generally, 
every  symbol  In  the  keyword  package  whose  first  character  Is  #\\X  and  whose 
remaining  characters  parse  as  a  negative  Integer  Is  appropriately  understood. 
This  allows  :pbt  :x-10  where  :pbt  (:MAX  -10)  or  :pbt  (:HEK£  -10)  ware 
prevlou.::ly  used.  The  old  forms  are  still  legal. 

The  order  of  the  arguments  to  defcong  has  been  changed. 

The  simplifier  now  reports  the  use  of  unspecified  laullt-ln  type  Infozmatlon 
about  the  primitives  with  the  phrase  "primitive  type  reasoning.''  This 
phrase  may  sometimes  occur  In  situations  where  ''propositional  calculus''  was 
formerly  credited  with  the  proof. 

The  function  palrlls  has  been  replaced  in  the  coda  by  a  new  function 
palrlls$,  because  Common  Lisp  does  not  adequately  specify  Its 
palrlls  function. 

Some  new  Common  Lisp  functions  have  been  added,  including  logtast, 
logcount.  Integer-length,  make-list,  remove-duplicates,  string,  and 
concatenate.  The  source  file  /slocal/src/acl2/.ucioms.llsp  is  the 
ultimata  reference  regarding  Common  Lisp  f\mctlons  In  Acl2 . 

The  functions  DEFONS  and  THEORY- INVARIANT  have  been  documented. 

See  :DOC  dafuns  and  :DOC  theory- invariant. 

A  few  symbols  have  been  added  to  the  list  *acl2-exports* . 

A  new  key  has  been  Implemented  for  the  acl2-defaults-table, 

: Irrelevant-formals-ok.  See  :OOC  set-lrralevant-formals-ok. 

The  connected  book  directory,  cbd,  must  be  nonempty  and  begin  and  end  with  a 
slash.  It  Is  set  (and  displayed)  automatically  upon  your  first  entry  to  LP. 
You  may  change  the  setting  with  sat-cbd.  See  :DOC  clad. 

:oops  will  undo  the  last  :ubt.  See  :OOC  oops. 

Documentation  has  bean  written  about  the  ordinals.  See  :DOC  eO-ordlnalp 
and  !D0C  e0-ord-<. 

The  color  events  --  (rad) ,  (pink) ,  (blue) ,  and  (gold)  --  may  no 
longer  be  enclosed  Inside  calls  of  LOCAL,  for  soundness  reasons.  In 
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fact,  nalther  may  any  event  that  :  eta  the  acl2 -defaults -table.  See 
•DOC  embedded-event- form. 

See  :DOC  Id-heyword-allases  for  an  example  of  how  to  change  the  exit 
keyword  from  :g  to  something  else. 

The  attempt  to  Install  a  monitor  on  : REWRITE  rules  stored  as  simple 
abbreviations  now  causes  an  error  because  the  application  of  abbreviations  Is 
not  tracked . 

A  new  message  Is  sometimes  printed  by  the  theorem  prover.  Indicating  that  a 
given  simplification  la  "specious"  because  the  subgoals  It  produces 
Include  the  Input  goal.  In  Version  1.4  this  was  detected  but  not  reported, 
causing  behavior  some  users  found  bizarre.  See  :DOC  speclous-slmpllflcatlon. 

:OE7ZNZTZON  rules  are  no  longer  always  required  to  specify  the 
:CLZQIIE  and  :CONTROLI£R-ALZST  fields;  those  fields  can  be  defaulted 
to  system-determined  values  In  many  common  lnst~::.cas.  See 
:OOC  definition. 

A  warning  la  printed  If  a  macro  form  with  keyword  arguments  Is  given 
duplicate  keyword  values.  Execute  (thm  t  :doc  nil  :doc  ’Ignored”) 
and  read  the  warning  printed. 

A  new  restriction  has  been  placed  on  EMCAPSOIATB .  Non- LOCAL  recursive 
definitions  Inside  the  ENCAPSULATE  may  not  use.  In  their  tests  and  recursive 
calls,  the  constrained  functions  Introduced  by  the  ENCAPSULATE.  See 
:DOC  subversive-inductions. 

The  events  defequlv,  defcong,  def refinement,  and  def evaluator  have  been 
reimplemented  so  that  they  are  just  macros  that  expand  Into  appropriate 
def thm  or  encapsulate  events;  they  are  no  longer  primitive  events.  See  the 
documentation  of  each  affected  event. 

The  def cor  event,  which  was  a  shorthand  for  a  def thm  that  established  a 
corollary  of  a  named,  previously  proved  event,  has  been  eliminated  because 
Its  Implementation  relied  on  a  technique  we  have  decided  to  ban  from  our 
code.  Zf  you  want  the  effect  of  a  def cor  In  Version  1.5  you  must  submit  the 
corresponding  def thm  with  a  :by  hint  naming  the  previously  proved  event. 

Error  reporting  has  been  Isqproved  for  Inappropriate  In-theory  hints 
and  events,  and  for  syntax  errors  In  rule  classes,  and  for 
non-existent  filename  arguments  to  LD. 

Technical  Note:  We  now  maintain  the  Third  Invariant  on  type-allsts,  as 
described  In  the  Essay  on  the  Znvarlamts  on  Type-allsts,  and  Canonlcallty. 
This  change  will  affect  some  proofs,  for  exeuaple,  by  causing  a  to 
rewrite  more  quickly  to  c  when  (equlv  a  b)  and  (equlv  b  c)  are  both 
known  and  c  Is  the  canonical  representative  of  the  three. 
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VERSION  1.6  RELEASE  NOTES 

A  n«w  key  has  b««n  invlainantsd  Cor  th«  acl2-dsCaults-tabla, 

:lsrnors-ok.  Ssa  :DOC  sst-lgnors-ok. 

It  is  now  legal  to  have  color  events,  such  as  (HSO) ,  in  the  portcullis  of  a 
book.  More  generally,  it  la  legal  to  set  the  acl2-defaults-table  In  the 
portcullis  of  a  book.  For  example.  If  you  execute  :RSD  and  then  certify  a 
book,  the  event  (RED)  will  show  up  In  the  portcullis  of  that  book,  and  hence 
the  definitions  In  that  book  will  all  be  red  (except  idxen  overridden  by 
appropriate  declarations  or  events) .  Mhen  that  book  is  Included,  then  as 
always.  Its  portcullis  must  first  be  "raised,''  and  that  will  causa  the 
default  color  to  becosie  rad  before  the  events  In  the  book  are  executed.  As 
always,  the  value  of  acl2 -defaults  table  immediately  after  execution  of  an 
Include-book,  certlfy-book,  or  encapk  late  form  will  be  the  same  as  It  was 
Immediately  before  execution  (and  hence,  so  will  the  default  color) .  Sea 
:DOC  portcullis  and,  for  more  a330ut  books,  :DOC  books. 

A  theory  GROOMD-ZERO  has  been  defined  to  contain  exactly  those  rules  that 
are  enabled  idien  Acl2  starts  up.  See  :DOC  groiind-zero. 

The  function  nth  Is  now  enabled,  correcting  an  oversight  from  Version  1.5. 

Customization  files  no  longer  need  to  meet  the  syntactic  restrictions  put  on 
books;  rather,  they  can  contain  arbitrary  Acl2  forms.  See 
sDOC  acl2 -customization. 

Structured  directory  names  and  structured  file  luuaas  are  supported;  see 
especially  :DOC  pathname,  :DOC  book-name,  and  :DOC  cbd. 

Acl2  now  works  with  some  Common  Lisp  Implementations  other  than  akcl. 
Including  Lucid,  Allegro,  and  MCL. 

A  facility  has  been  added  for  displaying  proof  trees,  especially  using  emacs 
see  :DOC  proof -tree. 

There  Is  a  considerable  asiount  of  new  documentation.  In  particular 
for  the  printing  functions  FMT,  FHTl,  and  FHS,  and  for  the  notion  of 
Acl2  term  (see  :D0C  term) . 

It  Is  possible  to  Introduce  new  well-founded  relations,  to  specify  idilch 
relation  should  be  used  by  DEFDN,  and  to  set  a  default  relation.  See 
:OOC  well-founded-relation. 

It  Is  possible  to  make  functions  suggest  new  inductions.  See 
:DOC  Induction. 

It  Is  possible  to  change  how  Acl2  expresses  type-set  Information;  In 
particular,  this  affects  what  clauses  are  proved  idien  forced  assusiptlons 
are  generated.  See  sDOC  type -set -Inverter. 

A  new  restriction  has  been  added  to  OEFFKG,  having  to  do  with  undoing.  If 
you  undo  a  DEFPKO  and  define  the  same  package  name  again,  the  Imports  list 
must  be  Identical  to  the  previous  Isiports  or  else  an  explanatory  error  will 
occur.  See  iDOC  pac]cage-relncamatlon-import-restrlctlons . 


Theory- Invariant  and  set-lrrelevant-formals-ok  are  now  embedded  event  forms. 


Pis:  Boyer,  Kaufmann,  Moore;  Computational  Logic,  Inc. 
phone:  (512)  322-9951;  email:  kaufmann@cli.com 
Contract  title:  A  Computational  Logic  for  Applicative  Common  Lisp 
Contract  number:  NOOO 1 4-9 1  -C-0 1 30 


The  command  : GOOD-BYE  may  now  ba  uaad  to  quit  entirely  out  of  Lisp,  thus 
losing  your  work  forever.  This  command  works  in  akcl  but  may  not  work  in 
every  Common  Lisp. 

A  theory  GROUND-ZERO  has  been  added  that  contains  exactly  the  enabled  rules 
in  the  startup  theory.  See  :DOC  ground-zero. 

DEFINE -PC -MACRO  and  DEFINE -PC -ATOMIC -MACRO  now  automatically  define  :red 
functions.  (It  used  to  be  necessary,  in  general,  to  change  color  to  :red 
before  invoking  these.) 

A  proof  of  the  well-foundedness  of  e0-ord-<  on  the  eO-ordinalps  is 
in  :OOC  proof -of -well-foundedness . 

Free  variables  are  now  handled  properly  for  hypotheses  of 
: type-prescription  rules. 

When  the  system  is  loaded  or  saved,  STATE  is  now  bound  to  *THE-LIVB- STATE* . 

Certify -bcc.k  has  been  modified  so  that  when  it  compiles  a  file,  it  loads  that 
object  file. 

Defstub  has  been  modified  so  that  it  works  whan  the  color  is  hot  (:red  or 
:plnk) . 

Several  basic,  but  not  particularly  commonly  used,  events  have  been 
added  cr  changed.  The  obscure  axiom  SYMBOXi-NAME- INTERN  has  been 
modified.  The  definition  of  FIRSTN  has  been  changed.  BUTDAST  is 
now  defined.  The  definition  of  INTEGER -LENGTH  has  been  modified. 

The  left-hand  aide  of  the  rewrite  rule  ratlonal-implias2  has  been 
changed  from  (*  (numerator  x)  (/  (denominator  x) ) )  to  (*  (/ 

(danosd.nator  x) )  (numerator  x) ) ,  in  order  to  respect  the  fact  that 
unary-/  is  invisible  with  respect  to  binary-*.  See 
:DOC  loop-stopper. 

The  'preprocass'  process  in  the  waterfall  (sea  the  discussion  of  the 
:do-not  hint  in  :DOC  hints)  has  been  changed  so  that  it  works  to 
avoid  case-splitting.  The  'simplify'  process  refuses  to  force  (see 
:DOC  force)  whan  there  are  IF  terms,  including  AND  and  OR  terms,  in 
the  goal  being  simplified. 

The  function  APPLY  is  no  longer  introduced  automatically  by  tremslatlon  of 
user  input  to  internal  form  when  functions  are  called  on  inappropriate 
explicit  values,  e.g.,  (car  3). 

The  choice  of  idxich  variable  to  use  as  the  measured  variable  in  a  recursive 
definition  has  been  very  slightly  changed. 
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